Share your ideas for the JMP Scripting Unsession at Discovery Summit by September 17th. We hope to see you there!
Choose Language Hide Translation Bar
Highlighted
CAPEGA
Level I

How do I use Kerberos authentication HTTP request

Hi,

 

Does anyone knows if Kerberos autehtication can be used with the HTTP request method from jmp? I have a API I would like to connect using this authentication method.  What are the different authentication methods that can be used? Is there any cURL object in JMP (https://curl.haxx.se/)? It would be nice if you could provide an example, if available. Thank you in advance.

 

Here is a sample of a request

request_headers = AssociativeArray();
request_headers["Authorization"] = "";//Kerberos example

request = New HTTP Request(
	URL( url ), // the restAPI endpoint
	Method( "Get" ),
	Headers(request_headers),
	Query String( // define key pairs
		[["count" => limit]] // JSL associative array
	)
);
6 REPLIES 6
Highlighted
CAPEGA
Level I

Re: How do I use Kerberos authentication HTTP request

Hi all,

 

For context, I am trying to connect to an OsiSoft server for which secure authentication is needed.

Just to update and clarify, I know the authentication method should be in the HTTP get method, however I am still missing how to specify the parameter for using other authentication methods. I understand that there is something similar to curl in the jmp http request method. Can anyone explain me how can we specify something similar for authentication as the following PHP code using curl? Thank you.

 

$url = "someurl.com";

    $ch = curl_init ( $url );  
     curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );  
    curl_setopt ( $ch, CURLOPT_SSL_VERIFYPEER, false );  
    curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);  
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);  
    curl_setopt($ch, CURLOPT_USERPWD, ":");  
     $result = curl_exec ( $ch );  
     $json_o = json_decode ( $result );
    var_dump($json_o);

Highlighted
stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA,

Unfortunately, we will need some additional information here to assist you further.

 

Which host are you using, that is, are you using a Mac or Windows?

What is the endpoint you are trying to reach?

What have you tried?

Do you get any errors?

Are you using a proxy server?

 

cheers,

Stan

Highlighted
CAPEGA
Level I

Re: How do I use Kerberos authentication HTTP request

Hi @stan_koprowski,

Thanks you for your help. See below the answers to your questions:

 

> Which host are you using, that is, are you using a Mac or Windows?
 
The OsiSoft server running the PI Web API.
 
 
The server is running on Windows.

> What is the endpoint you are trying to reach?
 
Any endpoint of the OsiSoft Web API, the first one to try is:
 
 
> What have you tried?
 
Here a very reduced version of the code:
 
url = "https://piserver123.example.com/piwebapi";
request = New HTTPRequest(
	URL( url ),
	Method( "Get" ),
	Query String( 
		[["selectedFields" => "Items"]]
	),
	Secure(0)
);

json = request << Send();
jsl_json = Parse JSON( json );
 
> Do you get any errors?
 
The API returns "Authorization has been denied for this request.". In JMP the error is: "HTTP/1.1 401 Unauthorized"
 
Which is the expected answer if the identity of the user running the request is not correctly recognized.
 
So the "trick" is to understand how to activate the equivalent of the "--negotiate" option of cURL (see man page here https://curl.haxx.se/docs/manpage.html ).
 
> Are you using a proxy server?
 
No.
 
Thanks!

 

Highlighted
stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA 

Thanks for the additional information.  While Kerberos is an option as you stated as a valid means to establishing authentication newer more modern options in my opinion that use SSL to authenticate are preferred and are often thought of as the "current standard".  With SSL you're asserting for yourself (via public/private key), whereas, in Kerberos, even with public key cryptography (PKC) for session keys, the server (3rd party) is still doing the confirmation for you.  Additionally, another benefit is SSL also encrypts the transfer of data.

 

While Kerberos is a valid way of establishing authentication I would recommend a different option. Based on what I read using the link provided previously there are some settings for the Pi Web API that would allow for bearer authentication using OpenID connect (OAuth 2.0 based).  The advantage here is that the you have one login for multiple sites.  The PI administrator would need to configure these changes.  This feature is available beginning with the PI Web API 2017 release.

 

Most of the documentation for OSI Pi is not accessible to the general public so I cannot create a specific example.  I'd be happy to work with you directly if you are so inclined.  Please send me a private message and we can connect if you would like to pursue this option.

 

However, here is an example of using OpenID to access your Google profile picture (if you have a Google account ). 

 

Names Default To Here( 1 );
 
/*
Note: the "code" parameter is set automatically after the redirect occurs
*/
auth_url = "https://accounts.google.com/o/oauth2/v2/auth";
token_url = "https://www.googleapis.com/oauth2/v4/token";
redirect_url = "http://localhost/myapp/";
client_id = "581786658708-elflankerquo1a6vsckabbhn25hclla0.apps.googleusercontent.com";
client_secret = "3f6NggMbPtrmIBpgx-MK2xXK";
scope = "openid profile";
auth_fields = [=> ];
token_fields = [=> ];
			 
oauth2 = New OAuth2();
oauth2 << Grant Type( "Authorization Code" );
oauth2 << Auth URL( auth_url );
oauth2 << Token URL( token_url );
oauth2 << Redirect URL( redirect_url );
			 
auth_fields["scope"] = scope;
auth_fields["client_id"] = client_id;
token_fields["client_secret"] = client_secret;
			 
oauth2 << Auth Fields( auth_fields );
oauth2 << Token Fields( token_fields );
			 
auth_header = oauth2 << Get Auth Header();
request = New HTTP Request( URL( "https://www.googleapis.com/oauth2/v3/userinfo" ), Headers( {auth_header} ), Method( "GET" ) );
data = request << Send;
If( !Is Empty( data ),
	json_jsl = Parse JSON( data );
	If( json_jsl << Contains( "picture" ),
		picture_url = json_jsl["picture"];
		New Window( "Example", Picture Box( Open( picture_url ) ) );
	,
		Show( data )
	);
);

 cheers,

Stan

Highlighted
CAPEGA
Level I

Re: How do I use Kerberos authentication HTTP request

Hi @stan_koprowski ,

 

Thanks for your suggestion, those mechanisms are maybe very common on the (public) internet but inside a company (private) network, it is not that obvious.  So to get back to the original question : is there an option of the JMP HTTP request object that will be compatible with the Windows authentication mechanism that is in place today with all our PI servers ?

 

Cheers,

Highlighted
stan_koprowski
Community Manager Community Manager

Re: How do I use Kerberos authentication HTTP request

Hi @CAPEGA,

I missed this one...Sorry for the long delay in responding to this post.

To use Kerberos to negotiate with http request you can use the following:

Password(":") 

 

// use webids for retrieving tags; get tag for particular webid 
	For( i = 1, i<=NItems(webids), i++,
		url_str = srvrname || "/streams/" || webids[i] || "/value";
		strms = New HTTP Request(
			 URL( url_str ),
				Method( "get" ),
				Headers( {"Accept: application/json"} ),
				Password(":") //for Kerberos authentication
		) << Send;

		dt_strms = json to data table( strms );
		//convert timestamp to JMP date format
		dt_strms << New Column( "Time",
		Numeric,
		Format( "y/m/d h:m:s", 22, 0 ),
		Input Format( "y/m/d h:m:s", 0 ),
		Formula(
				Try(
					delims = "-:TZ";
					rowWords = Words( :Timestamp, delims );
					{};
					YearChoice = 1;
					{};
					{};
					Date MDY( Num( Uppercase( rowWords[2] ) ), Num( rowWords[3] ), Num( rowWords[1] ) + 0 ) + Num( rowWords[6] )
					+Num( rowWords[5] ) * 60 + (Num( rowWords[4] ) + 0) * 3600 + If( Num( rowWords[4] ) < 12,
						0,
						0
					);
				)
			)
		);
		dt_strms = json to data table( strms, Invisible );  //hide table
		//concatenate into a single table
		If( i == 1, dt_tag_rslts = New Table( "Stream Results", Invisible );
		,
			dt_tag_rslts << Concatenate( Data Table( dt_strms), "Append to first table" );
			Close( dt_strms, "No Save" );
		);
	);
Article Labels

    There are no labels assigned to this post.